MAFIA fraud is a man-in-the-middle attack against an

Transcription

1 5690 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 Distance Bounding Facing Both Mafia and Distance Frauds Rolando Trujillo-Rasua, Benjamin Martin, and Gildas Avoine Abstract Contactless technologies such as radio-frequency identification, near field communication, and sensor networks are vulnerable to mafia and distance fraud. These types of fraud are aimed at successfully passing an authentication protocol by cheating on the actual distance between the prover and the verifier. Distance-bounding protocols have been designed to cope with these security issues, but none of them properly resist these two types of fraud without requiring additional memory and computation. The situation is even worse considering that just a few distance-bounding protocols are able to deal with the inherent background noise on the communication channels. This paper introduces a noise-resilient distance-bounding protocol that resists both mafia and distance fraud. The security of the protocol is analyzed against known attacks and illustrated by experimental results. The results demonstrate the significant advantage of the introduced lightweight design over previous proposals. Index Terms Authentication, distance-bounding, relay attack. I. INTRODUCTION MAFIA fraud is a man-in-the-middle attack against an authentication protocol where the adversary relays the exchanges between the verifier and the prover, making them believe they directly communicate together. The earliest version of this attack was introduced by Conway in 1976 and is known as the chess grandmaster problem [1]. In this problem, a little girl competes with two grandmasters at the same time during postal chess games. She eventually wins a game or draws both by transparently relaying the moves between the two grandmasters. This fraud was resurrected in the cryptography field by Desmedt, Bengio and Goutier in 1987 [2], who suggested to apply it against the Fiat-Shamir zero-knowledge protocol [3]. The mafia fraud is particularly powerful against contactless technologies. The most threaten systems are radio-frequency identification (RFID) and Near Field Communication (NFC) because the devices answer to any solicitation without explicit agreement of their holder. The vulnerability of these Manuscript received October 8, 2013; revised March 1, 2014; accepted April 28, Date of publication May 14, 2014; date of current version October 8, The associate editor coordinating the review of this paper and approving it for publication was Y. Guan. R. Trujillo-Rasua is with the Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg City L-1615, Luxembourg ( rolando.trujillo@uni.lu). B. Martin is with the Université Catholique de Louvain, Louvain-la-Neuve 1348, Belgium. G. Avoine is with the Université Catholique de Louvain, Louvain-la-Neuve 1348, Belgium, and also with the Institute of Research in Information Science and Random Systems, Institut National des Sciences Appliquées de Rennes, Rennes 35708, France. Digital Object Identifier /TWC technologies have already been illustrated by several practical attacks [4] [7]. Two other attacks related to the mafia fraud exist: the distance fraud and the terrorist fraud. The distance fraud only involves a malicious prover, who cheats on his distance to the verifier. It was first introduced by Brands and Chaum [8]. The terrorist fraud not considered in this paper is an exotic variant of the mafia fraud where the prover is malicious and actively helps the adversary to succeed the attack [9]. The few protocols [10], [12], [13] that address this fraud are unfortunately unsuited to low-resource devices. As mentioned above, a distance measuring process can mitigate the mafia and distance frauds. Brands and Chaum [8] demonstrated this assumption and proposed the first distancebounding protocol (DB protocol). The distance estimation relies on the measurement of the Round-Trip-Time (RTT) of single bit exchanges. Considering the physical impossibility to travel faster than the speed of light, RTT bounds the distance between the parties. In addition to the distance measurement, Brands and Chaum s protocol offers an authentication part: the values exchanged during the RTT measurement are signed by the prover. Hence, the authentication and distance measurement are interleaved such that only a close legitimate prover can produce them. Since then, several distance-bounding protocols have been proposed [21]. However, none of the current protocols is lightweight and resists well to both mafia and distance frauds. Furthermore, just a few of them are able to deal with the inherent background noise of the communication channel. In this paper, we focus on four lightweight protocols [14] [16], [20]. These protocols are lightweight in the sense that they do not rely on heavy cryptographic operations such as signature or commitment scheme. They are also lightweight in the sense that they do not require an additional (time and resources consuming) slow phase 1 to terminate the protocol execution. Contribution: In this paper, we introduce a novel DB protocol that resists to both mafia and distance frauds. To do so, the protocol has been designed to be round-dependent in the spirit of [14], [16], [20]. However, contrary to those protocols, our proposal is provided with a mechanism to deal with noise in the communication channel. Additionally, our protocol does not require computationally expensive primitives, and it has a very low memory requirement. Therefore, it is efficient and suitable for extremely low-resource devices. We provide analytical and 1 In DB protocols, a fast phase is a phase where the verifier computes RTTs. A phase is slow when no RTT measurement occurs IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See for more information.

2 TRUJILLO-RASUA et al.: DISTANCE BOUNDING FACING BOTH MAFIA AND DISTANCE FRAUDS 5691 Fig. 1. Sketch of a HK-like distance-bounding protocol. experimental results that together demonstrate the significant advantage of the introduced lightweight design over the previous proposals. Organization: Section II presents the background of DB protocols. Section III explains the rationality behind our proposal and Section III-A presents the proposal. Section IV-A and IV-B are dedicated to the resistance of the protocol to mafia and distance frauds, respectively. Section V describes our noise resiliency mechanism. Section VI provides comparative results with several DB protocols in both scenarios the noise-free case and the noisy case. Finally, Section VII draws the conclusions. II. BACKGROUND ON DISTANCE-BOUNDING The first DB protocol suitable for resource-constrained devices (e.g., RFID tags) was proposed by Hancke and Kuhn [15] in This protocol is considered lightweight in the sense that a single computation of a hash a function and a call to a Pseudo Random Number Generator (PRNG) are the most costly operations required for its execution. Moreover, Hancke and Kuhn s protocol is only divided in two phases, a slow phase followed by a fast phase. The simplicity and efficiency of this protocol yield to similar designs for other DB protocols in particular [14], [16], [20], which modify how the answers are calculated in order to improve the security performances. The structure common to the reviewed protocols can be described as follows (see Fig. 1). The protocol contains first of all a slow phase, in which nonces are generated and exchanged. From these nonces and a secret value x, the possible responses used in the fast phase are computed via a function f. Then the fast phase consists of n consecutive rounds. In each of these rounds, the verifier picks a challenge c i, starts a timer and sends c i to the prover. When the prover receives the challenge he computes the answer r i and sends it back to the verifier as soon as possible. Upon reception of the answer, the verifier stores it as well as the round trip time. Once the n rounds are elapsed, the verifier checks the validity of the answers, i.e., the correctness of the answers and the RTTs. If this holds for the n rounds, the protocol succeeds. We next provide the main characteristics of the considered lightweight distance-bounding protocols. Hancke and Kuhn s Protocol: In Hancke and Kuhn s protocol [15], the function f used for computing the prover s answers is a hash function that outputs 2n bits, which are used to fill two n-bit registers: R 0 and R 1. During the fast phase, the prover s answers are computed in the following way: r i = R c i i, i.e., if c i =0, the response is the ith bit of the register R 0, otherwise the response is the ith bit of the register R 1. At the end of the fast phase, the verifier checks whether the r i s are the expected ones and the measured RTTs are below a given threshold. Avoine and Tchamkerten s Protocol: Avoine and Tchamkerten s protocol [14], known as AT, aims at enhancing the security of Hancke and Khun s protocol. AT relies on binary trees to compute the prover answers used in the fast phase. The function f of this protocol is a hash function with output size c + l (2 d+1 2) bits where c is the size of what the authors call credential: a bit sequence allowing the prover to be authenticated if the fast phase of this protocol is not completed. The two other parameters l and d impact on the protocol resistance against mafia and distance frauds. Indeed, in [14], the authors propose two versions of their protocol. In the first one, a single binary tree of depth n is used to provide the prover answers during the fast phase. In a second version, they propose to use l trees of depth d, with n = d l. From the nonces and the secret, the f output fills the vertex of the trees. Left side edges are labelled with 0, while right side edges are labelled with 1. The edges simply represent the verifier challenges. During the fast phase, the verifier challenges define a unique path through the trees. From a given position in the trees, if the current challenge is 0, the prover answers the value located on the left child of his position. He answers using the right child otherwise. At the end of the fast phase, the verifier checks the correctness of these answers, i.e., this is the sequence corresponding to the sequence of challenges he asked. He also checks the prover proximity, i.e., all the measured RTTs are below a given threshold. If these two conditions hold, the protocols succeeds and the prover is authenticated. Trujillo-Rasua, Martin and Avoine s Protocol: Trujillo- Rasua et al. s protocol [20], known as Poulidor, relies on a graph rather than a tree as done by the Avoine and Tchamkerten s protocol. The graph has 2n vertexes denoted q i (i {0,...,2n 1}) such that each of them is connected to q i+1( mod 2n) by the edge s i and to q i+2( mod 2n) by l i.the function f outputs 4n bits: half of them fill the 2n vertexes and the remaining bits label the 2n edges s i. The edges l i are labelled with the complementary value of s i : l i = s i 1. During the fast phase, the verifier s challenges create a unique path along the graph. The correct answers expected from the prover are the nodes visited through this path. At each round, the verifier s challenge define which of l i or s i the prover follows to provide his next answer. The verification process in Poulidor is identical to the one in AT [14]. Kim and Avoine s Protocol: Kim and Avoine s protocol [16], known as KA2, does not rely on trees or graphs to provide the prover with the correct answers during the fast phase. Instead, it introduces an attack detection mechanism that allows the prover to detect the adversary during the fast phase. The prover detects the adversary via predefined challenges. Using the output of the function f, the prover and the verifier agree on the first α challenges asked by the verifier during the fast phase. If the prover receives an incorrect challenge in one of the first α rounds of the fast phase, he knows that he is under attack, and thus he answers all the subsequent rounds at random. The function f is a pseudo random function whose output size is 2n.

3 5692 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 The first n bits fill the n-bit register R 0,then α following bits fill the (n α)-bit register R 1,theα remaining bits fill the α-bit register D. The fast phase is split into two distinct phases. The first α rounds support the predefined challenges. At each round, the verifier sends a bit of D. The prover checks that this challenge is the expected one. If so, he answers a bit of R 0, otherwise he answers at random for the rest of the protocols. During the n α rounds of the fast phase, the protocol works as Hancke and Kuhn s one. At the end of the fast phase, the verifier checks that the r i s are those he expected, and the measured RTTs are below a threshold decided in advance by the parties. On Other Distance-Bounding Protocols: There exist DB protocols with different designs and computational complexities. Some of them are based on signatures and/or a final extra slow phase [8], [19]. Others are designs that could be adapted to most DB protocols such as void challenge [17], punishment [22], and those that increase the number of states [23], [24]. However, they are beyond the scope of this article that focuses on DB protocols similar in design to Hancke and Kuhn s proposal [15]. The interested reader could refer to [21] for more details on DB protocols. III. PROPOSAL Being resistant to both mafia and distance frauds is the primary goal of a DB protocol. An important lower-bound for both frauds is (1/2) n, which is the probability of a naive adversary who answers randomly to the n verifier s challenges during the fast phase. However, this resistance is hard to attain for lightweight DB protocols. Therefore, our aim is to design a protocol that is close to this bound for both mafia and distance frauds, without requiring costly operations or an extra final slow phase. We also aim to reach the additional property of being noise-resilient. Below, the intuitions that lead to our design are explained. 1) Mafia Fraud: Among the DB protocols without final slow phase, those achieving the best mafia fraud resistance are round-dependent [14], [16], [20]. The idea is that the correct answer at the ith round should depend on the ith challenge and also on the (i 1) previous challenges. Our proposal uses a round-dependent construction significantly simpler than those proposed in [14], [16], [20], though. 2) Distance Fraud: As in mafia fraud, the best protocols in terms of distance fraud are round-dependent. However, rounddependency by means of predefined challenges as in Kim and Avoine s construction [16] fails to properly resist to distance fraud. Intuitively, the higher control over the challenges the prover has, the lower the resistance to distance fraud is. For this reason, our proposal allows the verifier to have full and exclusive control over the challenges. 3) Noise-Resiliency: Round-dependent protocols can hardly work in noisy environments. A noise in a given round might affect all the subsequent rounds, which become useless from the security point of view. Therefore, in order to deal with noise, round-dependent protocols should be able to detect the noisy rounds so that the prover s responses can be checked considering this noise occurrences. To the best of our knowledge, our Fig. 2. Protocol description. protocol is the first round-dependent DB protocol able to detect such noisy rounds with a high level of accuracy thanks to the simplicity of its design. A. Description of Our Protocol This section describes the DB protocol introduced in the paper. Initialization, execution, and decision steps are presented below and a general view is provided in Fig. 2. 1) Initialization: The prover (P ) and the verifier (V ) agree on (a) a security parameter n, (b) a timing bound Δt max,(c)a pseudo random function PRF that outputs 3n bits, (d) a secret key x. 2) Execution: The protocol consists of a slow phase and a fast phase. 3) Slow Phase: P (respectively V ) randomly picks a nonce N P (respectively N V ) and sends it to V (respectively P ). Afterwards, P and V compute PRF(x, N P,N V ) and divide the result into three n-bit registers Q, R 0, and R 1.BothP and V create the function f Q : S {0, 1} where S is the set of all the bit-sequences of size at most n including the empty sequence. The function f Q is parameterized with the bit-sequence Q = q 1...q n, and it outputs 0 when the input is the empty sequence. For every non-empty bit-sequence C i = c 1...c i where 1 i n, the function is defined as f Q (C i )= i j=1 (c j q j ). 4) Fast Phase: In each of the n rounds, V picks a random challenge c i R {0, 1}, starts a timer, and sends c i to P. Upon reception of c i, P replies with r i = R c i i f Q (C i ) where C i = c 1...c i. Once V receives r i, he stops the timer and computes the round-trip-time Δt i. 5) Decision: If Δt i < Δt max and r i = R c i i {1, 2,...,n} then the protocol succeeds. 2 IV. SECURITY ANALYSIS f Q (C i ) i A. Resistance to Mafia Fraud No formal model have been suggested yet to analyze DB protocols. Consequently, the analysis provided here follows the framework introduced in [21], which suggests to consider two 2 Δt max is a system parameter that implicitly represents the maximum allowed distance between the prover and the verifier.

4 TRUJILLO-RASUA et al.: DISTANCE BOUNDING FACING BOTH MAFIA AND DISTANCE FRAUDS 5693 attack strategies for the mafia fraud: the pre-ask and the postask strategies. The latter is however useless in protocols without a final slow phase [21], which is the case of our protocol. We therefore focus on the pre-ask strategy only. The pre-ask strategy consists first, for the adversary, to relay the initial slow phase. Then, she runs the fast phase with the prover. With the answers she obtains, she finally executes the fast phase with the verifier. In our case, we consider that the adversary first sends a sequence of challenges c 1... c n to the legitimate prover and receives r 1... r n where r i = R c i i f Q ( C i ) and C i = c 1... c i for every i {1,...,n}. Next, she executes the fast phase with the verifier receiving the challenges c 1...c n.given r 1... r n, the adversarial behavior that maximizes the success probability is provided in Theorem 1. Theorem 1: The adversary s behavior that maximizes her mafia fraud success probability with a pre-ask strategy is: (a) For every round i where c i c i, answer randomly. (b) For every round i where c i = c i, guess the value f Q (C i ) f Q ( C i ) and answer with the value f Q (C i ) f Q ( C i ) r i where C i = c 1...c i and C i = c 1... c i. Proof: If c i = c i, then R c i i = R c i i, which means that r i f Q ( C i )=r i f Q (C i ) r i =f Q ( C i ) f Q (C i ) r i. Therefore, either the adversary guesses f Q (C i ) f Q ( C i ) or the adversary losses this round. In the case where c i c i, the prover s response r i does not help the adversary since R c i i and R c i i are independent values. Therefore, whatever the adversary behavior her success probability at this round is 1/2. Theorem 1 states that an adversary able to guess the correct response in a given round i where c i = c i, is also able to correctly determine the value of f Q (C i ) f Q ( C i ). Moreover, in the case where c i c i there is full uncertainty with respect to the correct response r i. As a result, the adversary success probability exclusively depends on her ability to guess f Q (C i ) f Q ( C i ). Theorem 2 elaborates more on this and provides a recursive way to compute the maximal adversary success probability. Theorem 2: Let M i be the event that the adversary has won the first i rounds by following her best behavior with the preask strategy. Let S i be the event that the adversary guesses f Q (C i ) f Q ( C i ) at the ith round. The probability Pr(M i ) can be recursively computed as follows: Pr(M i ) ( ) ( i 1 = +Pr(M i C i 2 C i ) 1 ( ) ) i 1 2 Pr(M i C i C i ) =Pr(M i C i C i,m i 1 ) ( ( 1 2 i 1 +Pr(M i 1 C i 1 C i 1 ) 1 1 )) 2 i 1 Pr(M i C i C i,m i 1 ) ) = 2i 2 2 i 1 +Pr(S i 1 C i 1 C i 1,M i 1 ) (1 2i 1 2 i 1 Pr(S i C i C i,m i ) = Pr(S i 1 M i 1,C i 1 C i 1 ) Pr(M i C i C i ) Pr(M i 1 C i 1 C ( 1 i 1 ) 4 ( ) ) 1 i ( ) 1 i 2 where Pr(M 1 C 1 C 1 )=1/2 and Pr(S 1 C 1 C 1,M 1 )= 1/2 are the stopping conditions. Proof: Given that the theorem proof is not required to understand what follows, the proof is provided in [25]. B. Resistance to Distance Fraud This section analyzes the adversary success probability when mounting a distance fraud. As stated in [21], the common way to analyze the resistance to distance fraud is by considering the early-reply strategy instead of the pre-ask strategy. 3 This strategy consists in sending the responses in advance, i.e., before receiving the challenges. Doing so, the adversary saves time and might pass the timing constraint. In this section, the behavior that maximizes the success probability using the earlyreply strategy is identified, and then a recursive way to compute the resistance w.r.t. a distance fraud is provided. Theorem 3: Let C i be the sequence of challenges c 1...c i sent by the verifier until the ith round (i 1). The adversary s behavior that maximizes her distance fraud success probability is equivalent to the best behavior for guessing the values f Q (C 1 ),f Q (C 2 ),...,f Q (C n 1 ). Proof: In order to send a response in advance at the ith round with probability of being correct greater that 1/2, the adversary must send either Ri 0 f Q(C i 1 0) or Ri 1 f Q (C i 1 1). By definition, f Q (C i 1 0) = f(c i 1 ) and f Q (C i 1 1)=f Q (C i 1 ) q i. Therefore, Ri 0 f Q(C i 1 0)= Ri 0 f Q(C i 1 ) and Ri 1 f Q(C i 1 1) = Ri 1 f Q(C i 1 ) q i. Since the adversary knows the values Ri 0, R1 i, and q i, guessing the correct value at this round is equivalent to guessing the correct value of f Q (C i 1 ). As stated in Theorem 3, the adversary needs to guess the sequence f Q (C 1 ),...,f Q (C n 1 ) in order to succeed. Theorem 4 provides the adversary s best behavior to reach this goal. Theorem 4: The best adversary s behavior to guess f Q (C i ) is to assume that her previous guess for f Q (C i 1 ) is correct and to compute f Q (C i ) as follows: (a) if q i =0, then consider f Q (C i )=f Q (C i 1 ).(b)ifq i =1, pick a random bit c i and consider that f Q (C i )=f Q (C i 1 ) c i. Proof: Assuming that q i =0, then f Q (C i )=f Q (C i 1 ) and thus, the probability to guess f Q (C i ) is equal to the probability of guessing f Q (C i 1 ). In the case of q i =1, the adversary does not have a better behavior than choosing a random bit of challenge c i and considering that f Q (C i )=f Q (C i 1 ) c i. Given that f Q (ɛ) =0where ɛ is the empty sequence, the proof can be concluded by induction. 3 Another strategy named the circle analysis was introduced in [21]. However, few protocols have been analyzed considering this strategy, mainly because the analysis becomes unmanageable.

5 5694 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 TABLE I THE THREE POSSIBLE SCENARIOS WHEN SOME NOISE OCCURS AT THE ith ROUND the prover and the verifier are synchronized or not. To that aim, we rise the following observation. Observation 1: Several consecutive rounds where all, or almost all, the answers hold that r i = r i (resp. r i r i ), might indicate that the legitimate prover and the verifier have been synchronized (resp. desynchronized). Given the best adversary s behavior provided by Theorems 3 and 4, Theorem 5 shows a recursive way to compute the resistance to distance fraud. Theorem 5: Let D i be the event that the distance fraud adversary successfully passes the protocol until the ith round. Then, Pr(D i ) can be computed as follows: Pr(D i )= 1 4 Pr(D i 1)+ 1 2 i i 1 Pr(D j ) 1 2 i j. j=1 where Pr(D 0 )=1is the stopping condition. Proof: Given that the theorem proof is not required to understand what follows, the proof is provided in [25]. V. N OISE RESILIENCE Some efforts have been made in order to adapt existing distance-bounding protocols to noisy channels. Most of them rely on using a threshold x representing the maximum number of incorrect responses expected by the verifier [15] [17], [22]. Intuitively, the larger x, the lower the false rejection ratio but also the lower the resistance to mafia and distance frauds. Others use an error correction code during an extra slow phase [19]. However, the latter cannot be applied to our protocol given that it does not contain any final slow phase. Consequently, we focus on the threshold technique. A. Understanding the Noise Effect in Our Protocol We consider in the analysis that a 1-bit challenge (on the forward channel) can be flipped due to noise with probability p f and a 1-bit answer (on the backward channel) can be flipped with probability p b. Further, we denote as c i the bit-challenge received by the prover at the ith round, which might be obviously different to the challenge c i. Similarly, r i denotes the response received by the verifier at the ith round. As in previous works [15], the considered forward and backward channels are assumed to be memoryless. Table I shows the three different scenarios when considering a noisy communication at the ith round in our protocol. According to the protocol, in a noise-free ith round executed with a legitimate prover it holds that r i = r i f Q (C i )= f Q ( C i ). We thus say that prover and verifier are synchronized at the ith round if f Q (C i )=f Q ( C i ), otherwise they are said to be desynchronized. Intuitively, in a noise-free ith round the answer r i can be considered correct by the verifier either if r i = r i and they are synchronized or if r i r i and they are desynchronized. The challenge is therefore to identify whether B. Our Noise-Resilient Mechanism Based on Observation 1, we propose an heuristic aimed at identifying those rounds where prover and verifier switch from being synchronized to desynchronized or vice versa. The heuristic is named SwitchedRounds and its pseudocode description is provided by Algorithm 1. Algorithm 1 SwitchedRounds Require: The challenges c 1...c n and the registers R 0, R 1, and Q. The prover s responses r 1... r n. A threshold Δl indicating the minimum matching length. 1: Let d 1...d n be a sequence such that d i = r i R c i i f(c i ); 2: Let d i...d j be the longest matching with (1+)0 (1+)$ 1(0+)1 0(1+)0 1(0+)$ 0(1+)$; 3: if j i < Δl or no matching exists then return the empty set; 4: Let s be 0 if the matching is with 1(0+)1 1(0+)$ and 1 otherwise; 5: Let r be the closest index to i +1such that q r =1; 6: Let A be the output of SwitchedRounds on d 1...d i 1 ; 7: Let B be the output of SwitchedRounds on d j+1...d n ; 8: Let E be the union of A {(r, s)} B such that the indexes are in increasing order and every two consecutive pairs have different Boolean values; 9: return E; SwitchedRounds creates first the sequence d 1...d n where d i =0if r i = r i, otherwise d i =1. Following Observation 1, it searches for the longest subsequence d i...d j that matches any of the following patterns 4 :(a) (1+)0 (b) (1+)$ (c) 1(0+)1 (d) 0(1+)0 (e) 1(0+)$ (f) 0(1+)$. The aim of these patterns is to look for large subsequences of either consecutive 0 s or 1 s in d 1...d n. Note that, we do not include the patterns (0+)1 and (0+)$ because starting with a sequence of zeros is exactly what the verifier expects. Intuitively, the lower the expected noise the larger the subsequences should be. We parametrize this trade-off between the noise and the expected number of consecutive rounds where no switch occurs (see Observation 1) by using a threshold Δ l.as an example, let us consider the case where the communication channel is noiseless. Since no noise is expected, the sequence d 1...d n should be equal to n consecutive zeros unless an attack is being performed, in which case Δ l =n. In Algorithm 1, Δl consequently defines how large a matching d i...d j should 4 The patterns have been written following the POSIX Extended Regular Expressions standard. The symbols and $ represent the start and the end of the string, respectively.

6 TRUJILLO-RASUA et al.: DISTANCE BOUNDING FACING BOTH MAFIA AND DISTANCE FRAUDS 5695 Fig. 3. The mafia fraud [Fig. 3(a)] and distance fraud [Fig. 3(b)] success probabilities considering up to 64 rounds (logarithmic scale). The considered protocols are AT [14], HK [15], KA2 [16], Poulidor [20], and our protocol. (a) Mafia fraud; (b) distance fraud. be in order to be analyzed. We discuss a computational approach to estimate a practical value for Δl in Section VI. If a pattern d i...d j holds that j i Δl, SwitchedRounds looks for the closer index r to i +1 such that q r =1, and assumes that the rth round caused the switch from synchronization to desynchronization or vice versa. To illustrate the role of r by an example, let us consider a protocol where q 1 =1, q 2 =0, and R 0 = R 1. In this case, a forward noise at the first round desynchronizes the prover and the verifier, which makes the prover to answer incorrectly. This wrong answer could be flipped and becomes correct if a backward noise occurs. Consequently, the verifier cannot detect the noise in the first round. However, if no noise occurs in the second round, the prover s answer will be incorrect due to the desynchronization. The verifier can easily determine that such desynchronization occurred in the first round (r =1)since q 2 =0while q 1 =1. Once r is found, the pair (r, s) is created where s is 0 if the switch is to synchronization, s =1otherwise. Finally, SwitchedRounds recursively calls itself to analyze the two subsequences lying on the left and right side of d i...d j. The output is the union of all obtained pairs such that they are in increasing order (according to the round) and every two consecutive pairs have different values (according to the type of switching). Armed with the SwitchedRounds algorithm, the threshold technique can be straightforwardly applied as Algorithm 2 shows. It simply counts the number of errors that occurred during the execution of the protocol where an error is defined as either a switched round or a wrong response. Both cases are considered as error because, on the one hand, a switched round might be falsely detected during an attack, and on the other hand, there is no distinction between a wrong response due to noise or to an attack. Finally, the protocol is considered to fail if the number of errors is above a threshold x. Note that basing the decision on a threshold is a common and easy procedure but not the best one, especially when the channels are not memoryless. Instead, the decision procedure could consist in comparing the vector d 1...d n with the error distribution on the noisy channels. Algorithm 2 Authentication in the presence of noise Require: All the parameters of the protocol; an integer value x representing the noise tolerance; and a threshold Δl. 1: Let E be the output of SwitchedRounds algorithm on input c 1...c n, r 1... r n, R 0, R 1, Q, and Δl; 2: Let d 1...d n be a sequence such that d i = r i R c i i f(c i ); 3: Let s be a Boolean variable initialized in 0; 4: Let errors be a counter initialized in 0; 5: for all 1 i n do 6: if (i, s ) E then 7: s s ; errors ++; 8: else if (d i =0and s =1)or(d i =1and s =0) then 9: errors ++; 10: if errors > x then return fail; 11: else return success; VI. EXPERIMENTS AND COMPARISON The first part of this section compares the protocols AT [14], HK [15], KA2 [16], Poulidor [20], and our proposal, in terms of mafia fraud resistance, distance fraud resistance, and memory consumption. The second part addresses the noisy case, comparing our proposal with KA2 and HK. 5 A. Noise-Free Environment Mafia and distance fraud analyses in a noise-free environment can be found in [14] [16], [20] for KA2, AT, Poulidor, and HK. In the case of AT and Poulidor, only an upper-bound of their resistance to distance fraud have been provided [11], [20]. Considering those previous results, Fig. 3(a) and (b) show the resistance to mafia and distance frauds, respectively for the five considered protocols in a single chart. For each of them, the configuration that maximizes its security has been chosen: 5 Neither AT nor Poulidor claim to be noise resilient.

7 5696 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 Fig. 4. Two trade-off charts showing the most efficient protocol for each pair of mafia and distance fraud probability values ranging between 1 and (1/2) 64. Fig. 4(a) considers the protocols AT [14], HK [15], KA2 [16], Poulidor [20], and our proposal, while Fig. 4(b) changes AT by its variant AT-3. (a) Trade-off without memory constraint; (b) trade-off with memory constraint. this is particularly important for AT and KA2 because different configurations can be used. Fig. 3(a) shows that our proposal roughly lies in the middle of the best case (AT and KA2) and the worst case (HK) in terms of mafia fraud. However, both AT and KA2 protocols pay a high price to attain such a high resistance to mafia fraud. The AT protocol requires an amount of memory that exponentially grows with the number of rounds, while the KA2 protocol does not resist to distance fraud in the configuration that maximizes its resistance to mafia fraud. In terms of distance fraud, our proposal is the best as shown by Fig. 3(b), while KA2 and HK represent the worst case. AT protocol also resists to distance fraud, however, still requiring an exponential amount of memory. Since our protocol aims to be resistant to both frauds, it makes sense to consider the two properties together. To do so, we follow the technique used in [20] to seek for a good tradeoff. This technique first discretizes the mafia fraud (x) and distance fraud (y) success probabilities. For every pair (x, y), it evaluates which protocol is the less round-consuming. This protocol is considered as the best for the considered pair. In case of draw between two protocols, the one that is the less memory-consuming is considered as the best protocol. Using this idea, it is possible to draw what we call a trade-off chart, which represents for every pair (x, y) the best protocol among the five considered ones [see Fig. 4(a)]. Fig. 4(a) shows that our protocol offers a good trade-off between resistance to mafia fraud and resistance to distance fraud, especially when a high security level against distance fraud is expected. In other words, our protocol is better than the other considered protocols, except when the expected security levels for mafia and distance frauds are unbalanced, which is meaningless in common scenarios. Another interesting comparison takes into consideration the memory consumption of the protocols. Indeed, for n rounds of the fast phase, AT requires 2 n+1 1 bits of memory, which is prohibitive for most pervasive devices. We can therefore compare protocols that require a linear memory w.r.t. the number of rounds n. For that, we consider a variant of AT [14], denoted AT-3, that uses n/3 trees of depth 3 instead of just one tree of depth n. By doing so, the memory consumption of all the considered protocols is below 5n bits of memory. The resulting trade-off chart (Fig. 4(b)) shows that constraining the memory consumption considerably reduces the area where AT is the best protocol, but it also shows that our protocol provides the best trade-off in this scenario as well. B. Noisy Environment Among the protocols we are considering, only HK [15] and KA2 [16] claim to be noise resilient. For this reason, we analyze in this section the performance of our proposal in the presence of noise by comparing it with HK and KA2. The comparison is performed by considering two properties: availability and security. Availability is measured in terms of false rejection ratio and security in terms of mafia fraud resistance. It should be remarked that, distance fraud resistance has not been considered for simplicity and because, as shown previously, our proposal outperforms all the other protocols in terms of this fraud. An important parameter when measuring availability and security for the three protocols is the number of allowed incorrect responses (x). In the case of KA2 and our proposal, other parameters are the minimum size of the pattern (s) (denoted by Δl in Algorithm 1) and the number of predefined challenges p, respectively. Theoretical bounds for these parameters in term of the number of rounds and noise probabilities might be provided, however, we left this non-trivial task for future work. Instead, we treat the three parameters z =(x, s, p) as the variables of an optimization problem defined as follows.

8 TRUJILLO-RASUA et al.: DISTANCE BOUNDING FACING BOTH MAFIA AND DISTANCE FRAUDS 5697 Fig. 5. The maximum resistance to mafia fraud of HK, KA2, and our proposal, considering 48 rounds, a false rejection ratio lower than 5%, and different values p f and p b :infig.5(a)p f = p b {0, 0.005,...,0.045, 0.05}, and in Fig. 5(b) p f + p b =0.05 where p f {0, 0.005,...,0.045, 0.05}.(a)p f = p b ; (b) p f + p b =0.05. Problem 1: Let Π be a distance-bounding protocol, n the number of rounds, p f the probability of noise in the forward channel, and p b the probability of noise in the backward channel. Let Π security p f,p b,n (z) and Π availability p f,p b,n (z) be the functions that, given a set of parameters z =(x, s, p), compute the adversary success probability when mounting a mafia fraud against Π and the false rejection ration of Π, respectively. Given a threshold Δ, the optimization problem consists in: minimizing Π security p f,p b,n (z) s.t. Π availability p f,p b,n (z) Δ. To follow notations of Problem 1, we assume that Π {HK, KA2, Our} where Our denotes our proposal. Therefore, algorithms to compute Π security p f,p b,n (z) and Π availability p f,p b,n (z) for every Π {HK, KA2, Our} are required. In case Π = HK, HK security p f,p b,n (z) can be computed as shown in [15], while HK availability p f,p b,n (z) is in [25]. For Π=KA2, an algorithm to compute KA2 security p f,p b,n (z) is given in [16]. Unfortunately, analytical expressions for KA2 availability p f,p b,n (z), Our security p f,p b,n (z), and Our availability p f,p b,n (z), seem to be cumbersome to find. Therefore, we address this issue by means of simulation. A simulation means that, given a protocol Π, all the parties (Verifier, Prover, and Adversary) are simulated. The protocol is then executed 10 6 times and the mean of the results (either security or availability) is taken as the estimation. For the experiments, we consider 48 rounds and a false rejection ratio lower than 5%. Note that, there does not exist a real consensus on how many rounds should be executed in a distance-bounding protocol. For instance, in [16] up to 40 rounds are considered, while others might vary from 20 [17] to 80 [23]. We normally choose 64 rounds for our experiments [20]. However, since our optimization problem is solved by means of simulations whose performance decrease with the number of rounds, we drop from 64 to 48 rounds. Regarding noise we consider two cases: (a) both forward and backward channels introduce noise with the same probability (p f = p b 0.05), and (b) the noise probabilities for the forward and backward channels are not necessarily equal and are related as follows (p f + p b =0.05). 6 We do not consider an overall noise probability higher than 0.1 as suggested in [17]. Actually, a high noise probability makes useless all the distance-bounding protocols proposed up-to-date. Armed with these settings, Fig. 5(a) and (b) show the maximum resistance to mafia fraud for the three protocols considering the cases (a) and (b), respectively. Fig. 5(a) shows the mafia fraud resistance of the three protocols when p f = p b. As expected, the higher the noise the lower the provided security of the three protocols. In this scenario, however, our protocol is clearly the best even though KA2 achieves the highest resistance when no noise is considered (p f = p b =0). A different scenario (p f + p b =0.05) isshownbyfig.5(b). There, the security of HK improves with p f, while KA2 and our protocol are clearly sensitive to the increase of p f.thisisan inherent problem of both protocols since a noise in the forward channel could cause a desynchronization between the prover and the verifier. Nevertheless, thanks to the noise-resilience mechanism proposed in Section V-B, our protocol deals with noise much better than KA2 and, in general, performs better than both HK and KA2. VII. CONCLUSION A new lightweight distance-bounding protocol has been introduced in this paper. The protocol simultaneously deals with both mafia and distance frauds, with neither sacrificing memory nor requiring additional computation. The analytical expressions and experimental results show that the new protocol clearly provides the best trade-off between mafia and distance fraud resistance. Such a performance is achieved thanks to a novel round-dependent design where the prover is unable to guess any challenge with probability higher than 1/2. The 6 We have performed experiments by considering several other correlations between p f and p b. The results are not significantly different to those provided by these two cases, though.

9 5698 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 protocol also goes a step further by dealing with the inherent background noise on the communication channels. To the best of our knowledge, the proposed protocol is the first lightweight and noise-resilient distance-bounding protocol that resists both mafia and distance frauds. This is a major advantage compared to the other existing protocols. REFERENCES [1] J. H. Conway, On Numbers and Games. Natick, MA, USA: AK Peters, [2] Y. Desmedt, C. Goutier, and S. Bengio, Special uses and abuses of the Fiat-Shamir passport protocol, in Proc. Int. CRYPTO Conf., 1987, pp [3] A. Fiat and A. Shamir, How to prove yourself: Practical solutions toidentification and signature problems, in Proc. Int. CRYPTO Conf., 1986, pp [4] L. Francis, G. P. Hancke, K. Mayes, and K. Markantonakis, Practical NFC Peer-to-peer relay attack using mobile phones, in Proc. Workshop RFIDSec, 2010, pp [5] G. P. Hancke and M. G. Kuhn, Attacks on time-of-flight distance bounding channels, in Proc. ACM Conf. WiSec, 2008, pp [6] A. Francillon, B. Danev, and S. Capkun, Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars, in Cryptology eprint Archive, Report 2010/332, [7] L. Sportiello and A. Ciardulli, Long distance relay attack, in Proc. Workshop RFIDSec, 2013, pp [8] S. Brands and D. Chaum, Distance-bounding protocols, in Proc. EUROCRYPT Int. Conf. Theory Appl. Tech., 1993, pp [9] S. Bengio, G. Brassard, Y. Desmedt, C. Goutier, and J.-J. Quisquater, Secure implementation of identification systems, J. Cryptol., vol. 4, no. 3, pp , [10] L. Bussard and W. Bagga, Distance-bounding proof of knowledge to avoid real-time attacks, in Proc. Security Privacy Age Ubiquitous Comput., 2005, pp [11] R. Trujillo-Rasua, Complexity of distance fraud attacks in graph-based distance bounding, in Proc. 10th Int. Conf. MobiQuitous Syst., Comput., Netw. Serv., Tokyo, Japan, [12] C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, and O. Pereira, The swiss-knife RFID distance bounding protocol, in Proc. ICISC, 2008, pp [13] G. Avoine, C. Lauradoux, and B. Martin, How secret-sharing can defeat terrorist fraud, in Proc. 4th ACM Conf. WiSec, 2011, pp [14] G. Avoine and A. Tchamkerten, An efficient distance bounding RFID authentication protocol: Balancing false-acceptance rate and memory requirement, in Proc. Inf. Security Conf., 2009, pp [15] G. P. Hancke and M. G. Kuhn, An RFID distance bounding protocol, in Proc. 1st Int. Conf. Security Privacy Emerging Areas Commun. Netw., 2005, pp [16] C. H. Kim and G. Avoine, RFID distance bounding protocols with mixed challenges, IEEE Trans. Wireless Commun., vol. 10, no. 5, pp , May [17] J. Munilla and A. Peinado, Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels, Wireless Commun. Mobile Comput., vol. 8, no. 9, pp , Nov [18] J. Reid, J. M. G. Nieto, T. Tang, and B. Senadji, Detecting relay attacks with timing-based protocols, in Proc. 2nd ASIACCS,2007,pp [19] D. Singelée and B. Preneel, Distance bounding in noisy environments, in Proc. ESAS, 2007, pp [20] R. Trujillo-Rasua, B. Martin, and G. Avoine, The Poulidor distance-bounding protocol, in Proc. Workshop RFID Security, 2010, pp [21] G. Avoine, M. A. Bingöl, S. Kardaş, C. Lauradoux, and B. Martin, A framework for analyzing RFID distance bounding protocols, J. Comput. Security, vol. 19, no. 2, pp , Apr [22] W. Xin, T. Yang, C. Tang, J. Hu, and Z. Chen, A distance bounding protocol using error state and punishment, in Proc. 1st Int. Conf. IMCCC, 2011, pp [23] G. Avoine, C. Floerkemeier, and B. Martin, RFID distance bounding multistate enhancement, in Proc. Progress INDOCRYPT, 2009, pp [24] S. Lee, J. S. Kim, S. J. Hong, and J. Kim, Distance bounding with delayed responses, IEEE Commun. Lett., vol. 16, no. 9, pp , Sep [25] R. Trujillo-Rasua, B. Martin, and G. Avoine, Distance bounding facing both mafia and distance frauds (Technical Report) CoRR, abs/ , [Online]. Available: Rolando Trujillo-Rasua received the B.Sc. degree in computer science from La Universidad de la Habana, Havana, Cuba, in 2006, and the M.Sc. and Ph.D. degrees in computer engineering from the Universitat Rovira i Virgili, Tarragona, Spain, in 2009 and 2012, respectively. He is a Research Associate with the Interdisciplinary Centre on Security, Reliability, and Trust, University of Luxembourg, Luxembourg City, Luxembourg. Benjamin Martin received the M.Sc. degrees in both mathematics and computer science from the University of Bordeaux I, Talence, France. He is currently working toward the Ph.D. degree in information security at the Université Catholique de Louvain, Louvain-la-Neuve, Belgium. Gildas Avoine received the B.S. degree in mathematics and the B.S. and M.S. degrees in computer science from the University of Caen, Caen, France and the Ph.D. degree in cryptography from the Swiss Federal Institute of Technology. He is a Professor of security and cryptography with the Institut National des Sciences Appliquées de Rennes, Rennes, France, and with the Université Catholique de Louvain, Louvain-la-Neuve, Belgium. Previously, he was a Researcher with the Massachusetts Institute of Technology, Cambridge, MA, USA, and with the Swiss Federal Institute of Technology, Lausanne, Lausanne, Switzerland.